Review of KIISC (정보보호학회지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지

Survey on Current Password Composition Policies

  • Published : 2018.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Textual passwords are widely used for accessing online accounts. Despite the problems of current textual passwords, research has shown that there is no other strong alternatives for a textual password due to its simplicity. There has been significant research to make passwords more secure and usable through password composition policies, password managers, password meters, and multi-factor authentications. In this paper, we focus on several key research that investigates and analyzes widely used password composition policies, and summarize the latest research which aims to improve current password composition policies.

Keywords

References

  1. Inglesant, Philip G., and M. Angela Sasse. "The true cost of unusable password policies: password use in the wild." Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2010.
  2. S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2595-2604. ACM, 2011.
  3. Ur, Blase, et al. "I added '!'at the end to make it secure": Observing password creation in the lab." Proc. SOUPS. 2015.
  4. H. Habib, J. Colnago, W. Melicher, B. Ur, S. Segreti, L. Bauer, N. Christin, and L. Cranor. Password creation in the presence of blacklists. 2017.
  5. B. Ur, F. Alfieri, M. Aung, L. Bauer, N. Christin, J. Colnago, L. Cranor, H. Dixon, P. E. Naeini, H. Habib, N. Johnson, and W. Melicher. Design and evaluation of a data-driven password meter. In CHI'17: 35th Annual ACM Conference on Human Factors in Computing Systems, May 2017.
  6. P. A. Grassi, J. L. Fenton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr, J. P. Richer, N. B. Lefkovitz, J. M. Danker, Y. Choong, et al. Draft nist special publication 800 63b digital identity guidelines. 2017.
  7. Ameya Hanesamgar, Simon S. Woo, Chris Kanich, and Jelena Mirkovic, "Leveraging Semantic Transformation to Investigate Password Habits and Their Causes", ACM SIG CHI2018 (to appear)
  8. M. Dell'Amico and M. Filippone. Monte Carlo Strength Evaluation: Fast and Reliable Password Checking. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 158-169. ACM, 2015.
  9. R. Shay, S. Komanduri, A. L. Durity, P. S. Huh, M. L. Mazurek, S. M. Segreti, B. Ur, L. Bauer, N. Christin, and L. F. Cranor. Can long passwords be secure and usable? In Proceedings of the 32nd annual ACM conference on Human factors in computing systems, pages 2927-2936. ACM, 2014.
  10. R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor. Encountering stronger password requirements: user attitudes and behaviors. In Proceedings of the Sixth Symposium on Usable Privacy and Security, page 2. ACM, 2010.
  11. S. Ji, S. Yang, T. Wang, C. Liu, W.-H. Lee, and R. Beyah. Pars: A uniform and open-source password analysis and research system. In Proceedings of the 31st Annual Computer Security Applications Conference, pages 321-330. ACM, 2015.
  12. D. L. Wheeler. zxcvbn: Low-budget password strength estimation. In Proc. USENIX Security, 2016.
  13. S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov, and C. Herley. Does my password go up to eleven?: the impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2379-2388. ACM, 2013.
  14. S. Ji, S. Yang, T. Wang, C. Liu, W.-H. Lee, and R. Beyah. Pars: A uniform and open-source password analysis and research system. In Proceedings of the 31st Annual Computer Security Applications Conference, pages 321-330. ACM, 2015.